Device policies 编辑

You can configure how Endpoint Management interacts with your devices by creating policies. Although many policies are common to all devices, each device has a set of policies specific to its operating system. As a result, you might find differences between platforms, and even between different manufacturers of Android devices.

To view the policies that are available per platform:

  1. In the Endpoint Management console, go to Configure > Device Policies.
  2. Click Add.
  3. Each device platform appears in a list in the Policy Platform pane. If that pane isn’t open, click Show filter.
  4. To see a list of all policies available for a platform, select that platform. To see a list of the policies that are available for multiple platforms, select each of those platforms. A policy appears in the list only if it applies to each platform selected.

Device Policies configuration screen filtered

For a summary description of each device policy, see Device policy summaries in this article.

Note:

If your environment is configured with Group Policy Objects (GPOs):

When you configure Endpoint Management device policies for Windows 10 and Windows 11, keep the following rule in mind. If a policy on one or more enrolled devices conflicts, the policy aligned with the GPO takes precedence.

To see which policies the Android Enterprise container supports, see Android Enterprise.

Prerequisites

  • Create any delivery groups you plan to use.
  • Install any necessary CA certificates.

Add a device policy

The basic steps to create a device policy are as follows:

  1. Name and describe the policy.

    Important:

    Do not use a forward slash (/) in a policy name. If you do, an error might occur when you edit the policy later.

  2. Configure the policy for one or more platforms.
  3. Create deployment rules (optional).
  4. Assign the policy to delivery groups.
  5. Configure the deployment schedule (optional).

To create and manage device policies, go to Configure > Device Policies.

Device Policies configuration screen

To add a policy:

  1. On the Device Policies page, click Add. The Add a New Policy page appears.

    Device Policies configuration screen

  2. Click one or more platforms to view a list of the device policies for the selected platforms. Click a policy name to continue with adding the policy.

    Device Policies configuration screen

    You can also type the name of the policy in the search box. As you type, potential matches appear. If your policy is in the list, click it. Only your selected policy remains in the results. Click it to open the Policy Information page for that policy.

  3. Select the platforms you want to include in the policy. Configuration pages for the selected platforms appear in Step 5.

  4. Complete the Policy Information page and then click Next. The Policy Information page collects information, such as the policy name, to help you identify and track your policies. This page is similar for all policies.

  5. Complete the platform pages. Platform pages appear for each platform you selected in Step 3. These pages are different for each policy. A policy might differ among platforms. Not all policies apply to all platforms.

    Some pages include tables of items. To delete an existing item, hover over the line containing the listing and click the trash can icon on the right side. In the confirmation dialog, click Delete.

    To edit an existing item, hover over the line containing the listing and click the pen icon on the right side.

To configure deployment rules, assignments, and schedule

For more information about configuring deployment rules, see Deploy resources.

  1. On a platform page, expand Deployment Rules and then configure the following settings. The Base tab appears by default.

    • In the lists, click options to specify the deployment conditions. You can choose to deploy the policy when all conditions are met or when any conditions are met. The default option is All.
    • Click New Rule to define the conditions.
    • In the lists, click the conditions, such as Device ownership and BYOD.
    • Click New Rule again if you want to add more conditions. You can add as many conditions as you would like.
  2. Click the Advanced tab to combine the rules with Boolean options. The conditions you chose on the Base tab appear.

  3. You can use more advanced Boolean logic to combine, edit, or add rules.

    • Click AND, OR, or NOT.
    • In the lists, choose the conditions that you want to add to the rule. Then, click the Plus sign (+) on the right side to add the condition to the rule.

      At any time, you can click to select a condition and then click EDIT or Delete.

    • Click New Rule to add another condition.
  4. Click Next to move to the next platform page or, when all the platform pages are complete, to the Assignments page.

  5. On the Assignments page, select the delivery groups to which you want to apply the policy. If you click a delivery group, the group appears in the Delivery groups to receive app assignment box.

    Delivery groups to receive app assignment doesn’t appear until you select a delivery group.

    Device Policies configuration screen

  6. On the Assignments page, expand Deployment Schedule and then configure the following settings:

    • Next to Deploy, click On to schedule deployment or click Off to prevent deployment. The default option is On.
    • Next to Deployment schedule, click Now or Later. The default option is Now.
    • If you click Later, click the calendar icon and then select the date and time for deployment.
    • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    • Next to Deploy for always-on connection, click On or Off. The default option is Off.

      Note:

      This option applies when you have configured the scheduling background deployment key in Settings > Server Properties.

      The always-on option:

      • Is not available for iOS devices
      • Is not available for Android, Android Enterprise, and Chrome OS to customers who began using Endpoint Management with version 10.18.19 or later
      • Is not recommended for Android, Android Enterprise, and Chrome OS to customers who began using Endpoint Management with before version 10.18.19

      The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always-on connection.

    Device Policies configuration screen

  7. Click Save.

    The policy appears in the Device Policies table.

Remove a device policy from a device

The steps to remove a device policy from a device depends on the platform.

  • Android

    To remove a device policy from an Android device, use the Endpoint Management Uninstall device policy. For information, see Endpoint Management uninstall device policy.

  • iOS and macOS

    To remove a device policy from an iOS or macOS device, use the Profile Removal device policy. On iOS and macOS devices, all policies are part of the MDM profile. Thus, you can create a Profile Removal device policy for just the policy that you want to remove. The rest of the policies and the profile remain on the device. For information, see Profile Removal device policy.

  • Windows 10 and Windows 11

    You can’t directly remove a device policy from a Windows Desktop or Tablet device. However, you can use either of the following methods:

    • Unenroll the device and then push a new set of policies to the device. Users then re-enroll to continue.

    • Push a security action to selectively wipe the specific device. That action removes all corporate apps and data from the device. You then remove the device policy from a delivery group that contains just that device and push the delivery group to the device. Users then re-enroll to continue.

  • Chrome OS

    To remove a device policy from a Chrome OS device, you can remove the device policy from a delivery group that contains just that device. You then push the delivery group to the device.

Edit a device policy

To edit a policy, select the check box next to a policy. The options menu appears above the policy list. Or, click a policy in the list to show more controls.

Device Policies configuration screen

To view policy details, click Show more.

To edit all settings for a device policy, click Edit.

If you click Delete, a confirmation dialog box appears. Click Delete again to delete the policy.

Check policy deployment status

Click a policy row on the Configure > Device Policies page to check its deployment status.

Device Policies Deployment status screen

When a policy deployment is pending, users can refresh the policy from Secure Hub by tapping Preferences > Device Information > Refresh policy.

Filter the list of added device policies

You can filter the list of added policies by policy types, platforms, and associated delivery groups. On the Configure > Device Policies page, click Show filter. In the list, select the check boxes for the items you want to see.

Device Policies configuration screen

Click SAVE THIS VIEW to save a filter. The name of the filter then appears in a button below the SAVE THIS VIEW button.

Device policy summaries

Device Policy NameDevice Policy Description
AirPlay MirroringAdds specific AirPlay devices (such as Apple TV or another Mac computer) to iOS devices. You can also add devices to an allow list for supervised devices. That option limits users to only the AirPlay devices on the allow list.
AirPrintAdds AirPrint printers to the AirPrint printer list on iOS devices. This policy makes it easier to support environments where the printers and the devices are on different subnets.
APNDetermines the settings used to connect your devices to the General Packet Radio Service (GPRS) of a specific phone carrier. This setting is already defined in most new phones. Use this policy if your organization doesn’t use a consumer APN to connect to the internet from a mobile device.
App AccessDefines a list of the apps that are required, optional, or prevented on the device. You can then create an automated action to react to the device compliance with that list of apps.
App AttributesSpecifies attributes, such as a managed app bundle ID or per-app VPN identifier, for iOS devices.
App ConfigurationRemotely configures various settings and behaviors of apps that support managed configuration. To do that, you deploy an XML configuration file (called a property list, or plist) to iOS devices. Or, you deploy key/value pairs to Windows 10 desktop or tablet devices.
App InventoryCollects an inventory of the apps on managed devices. Endpoint Management then compares the inventory to any app access policies deployed to those devices. In this way, you can detect apps that are on an allow list or block list for app access and then act accordingly.
App LockDefines a list of apps that users either can or can’t run on iOS or certain Android devices. Can turn an iPad into a kiosk.
App PermissionsConfigures how requests to Android Enterprise apps within work profiles handle what Google calls “dangerous” permissions.
App RestrictionsCreates block lists for apps you want to prevent users from installing on Chrome OS devices. You can also create allow lists for the apps you permit users to install.
App UninstallRemove apps from user devices.
App Uninstall RestrictionsSpecifies the apps that users can or can’t uninstall.
Application GuardFor the Microsoft Edge browser only, this policy specifies Windows Defender Application Guard settings. The settings include whether to block external content on enterprise sites.
Apps NotificationsControls how iOS users receive notifications from specified apps.
Automatically update managed appsControls how installed managed apps are updated on Android Enterprise devices.
BitLockerConfigures the settings available in the BitLocker interface on Windows 10 and Windows 11 devices.
BluetoothEnables or disables Bluetooth on iOS devices.
BrowserDefines whether user devices can use the browser or which browser functions the devices can use.
Calendar (CalDAV)Adds a calendar (CalDAV) account to iOS or macOS devices. The CalDAV account enables users to synchronize scheduling data with any server that supports CalDAV.
CellularConfigures cellular network settings.
Connection schedulingRequired for Android devices to connect back in to Endpoint Management for MDM management, app push, and policy deployment. If you don’t send this policy to devices and don’t enable Google FCM, a device can’t connect back to the server.
Contacts (CardDAV)Adds an iOS contact (CardDAV) account to iOS or macOS devices. The CardDAV account enables users to synchronize contact data with any server that supports CardDAV.
ContentControls various web content options for Chrome OS, including what home page to show and how popups are handled.
CredentialsEnables integrated authentication with your PKI configuration in Endpoint Management. For example, with a PKI entity, a keystore, a credential provider, or a server certificate.
Custom XMLCustomizes features such as provisioning devices, enabling device features, configuring devices, and managing faults.
DefenderConfigures Windows Defender settings for Windows 10 and Windows 11 for desktop and tablet.
Device GuardEnable security features such as secure boot, UEFI lock, and virtualization.
Device Health AttestationRequires that Windows 10 and Windows 11 devices report the state of their health. To do that they send specific data and runtime information to the Health Attestation Service (HAS) for analysis. The HAS creates and returns a Health Attestation Certificate that the device then sends to Endpoint Management. When Endpoint Management receives the Health Attestation Certificate, based on the contents of that certificate, it can deploy automatic actions that you configured.
Device NameSets the names on iOS and macOS devices so that you can identify the devices. You can use macros, text, or a combination of both to define a device name.
Education ConfigurationConfigures instructor and student devices for use with Apple Education. If instructors use the Classroom app, the Education Configuration device policy is required. Supported for iOS (iPadOS) devices.
Endpoint Management OptionsConfigures the Secure Hub behavior when connecting to Endpoint Management from Android devices.
Endpoint Management UninstallUninstalls Endpoint Management from Android devices. When deployed, this policy removes Endpoint Management from all devices in the deployment group.
ExchangeEnables ActiveSync email for the native email client on the device.
FilesAdds script files to Endpoint Management that perform certain functions for users. Or, you can add document files that you want Android device users to be able to access on their devices. When you add the file, you can also specify the directory in which you want the file to be stored on the device.
FileVaultThis policy lets you enable FileVault device encryption on enrolled macOS devices. You can also control how many times a user can skip FileVault setup during login. Available for macOS 10.7 or later.
FirewallConfigures the firewall settings. You provide the IP addresses, ports, and host names that you want to allow or block on devices. You can also configure the proxy and proxy reroute settings.
FontAdds fonts to iOS and macOS devices. Fonts must be TrueType (.TTF) or OpenType (.OFT) fonts. Endpoint Management doesn’t support font collections (.TTC, .OTC).
Home screen layoutSpecifies the layout of apps and folders for the iOS Home screen on supervised iOS devices.
Import Device ConfigurationImports a template configuration file from Workspace Hub devices.
Import iOS & macOS ProfileImports device configuration XML files for iOS and macOS devices into Endpoint Management. The file contains device security policies and restrictions that you prepare by using the Apple Configurator.
Keyguard ManagementControls the features available to users before they unlock the device keyguard and the work challenge keyguard. You can also control device keyguard features for fully managed and dedicated devices. For example, you can disable lock screen features such as fingerprint unlock, trust agents, and notifications.
Launcher ConfigurationSpecifies settings for Citrix Launcher on Android devices, such as the apps allowed and a custom logo image for the Launcher icon.
LDAPProvides information about an LDAP server to use for iOS devices, including any necessary account information such as the LDAP server host name. The policy also provides a set of LDAP search policies to use when querying the LDAP server.
LocationLets you geo-locate devices on a map, assuming that the device has GPS enabled for Secure Hub. After deploying this policy to the device, you can send a locate command from Endpoint Management. The device then responds with its location coordinates. Endpoint Management also supports geofencing and tracking policies.
Lock screen messageSets messages to appear on the following devices when they are lost: The login window of shared iPads and the lock screen of supervised iOS devices.
MailConfigures an email account on iOS or macOS devices.
Managed BookmarksDeploys a folder of bookmarks to Chrome OS devices.
Managed ConfigurationsControls various app configuration options and app restrictions for Android Enterprise devices.
Managed DomainsDefines managed domains that apply to email and the Safari browser. Managed domains help you protect corporate data by controlling which apps can open documents downloaded from domains using Safari. For iOS supervised devices, you can specify URLs or subdomains to control how users can open documents, attachments, and downloads from the browser.
Maximum resident usersSpecifies the maximum number of users for a Shared iPad. Supported for iOS and iPadOS devices.
MDM OptionsManages Find My Phone and iPad Activation Lock on supervised iOS devices.
NetworkAllows administrators to deploy Wi-Fi router details to managed devices. The router details include SSID, authentication data, and configuration data.
Network UsageSets network usage rules to specify how managed apps use networks, such as cellular data networks, on iOS devices. The rules only apply to managed apps. Managed apps are apps that you deploy to user devices through Endpoint Management.
OfficeDeploy Microsoft Office apps to any devices running Windows 10 (version 1709 or later) or Windows 11.
Organization InfoSpecifies organization information for alert messages that Endpoint Management deploys to iOS devices.
OS UpdateDeploys the latest OS updates to devices that are supported and supervised.
PasscodeEnforces a PIN code or password on a managed device. You can set the complexity and timeouts for the passcode on the device.
Passcode lock grace periodSpecifies the number of minutes that a Shared iPad screen stays locked before the user must enter a passcode to unlock the screen. Supported for iOS and iPadOS devices.
Personal HotspotAllows users to connect to the internet when they are not in range of a Wi-Fi network. Users connect through the cellular data connection on their iOS device, using personal hotspot functionality.
Power managementControls how Chrome OS devices respond to idle periods when using AC or battery power.
Profile RemovalRemoves the app profile from macOS devices.
Provisioning ProfileSpecifies an enterprise distribution provisioning profile to send to devices. When you develop and code sign an iOS enterprise app, you usually include a provisioning profile. Apple requires the profile for the app to run on an iOS device. If a provisioning profile is missing or has expired, the app crashes when a user taps to open it.
Provisioning Profile RemovalRemoves iOS provisioning profiles.
ProxySpecifies global HTTP proxy settings for devices running iOS. You can deploy only one global HTTP proxy policy per device.
Public SessionConfigure a Chrome OS device to act as a public device in guest mode.
RestrictionsProvides hundreds of options to lock down and control features and functionality on managed devices. Examples of restriction options: Disable the camera or microphone, enforce roaming rules, and enforce access to third-party services, such as app stores.
RoamingConfigures whether to allow voice and data roaming on iOS devices. If voice roaming is disabled, data roaming is automatically disabled.
Samsung MDM License KeySpecifies the built-in Samsung Enterprise License Management (ELM) key that you must deploy to a device. Endpoint Management also supports the Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service.
SCEPConfigures iOS and macOS devices to retrieve a certificate from an external SCEP server. You can also deliver a certificate to the device using SCEP from a PKI that is connected to Endpoint Management. To do that, create a PKI entity and a PKI provider in distributed mode.
Single sign-on (SSO) AccountCreates SSO accounts so users sign on one-time only to access Endpoint Management and your internal company resources. Users do not need to store any credentials on the device. Endpoint Management uses the enterprise user credentials for an SSO account across apps, including apps from the App Store. This policy is compatible with Kerberos authentication. Available for iOS.
Storage EncryptionEncrypts internal and external storage. For some devices, this policy prevents users from using a storage card on their devices.
StoreSpecifies whether an app store web clip appears on the home screen of user devices.
Subscribed CalendarsAdds a subscribed calendar to the calendars list on iOS devices. Ensure that you subscribe to a calendar before you add it to the subscribed calendars list on user devices.
Terms and ConditionsRequires that users accept the specific policies of your company that govern connections to the corporate network. When users enroll their devices with Endpoint Management, they must accept the terms and conditions to enroll their devices. Declining the terms and conditions cancels the enrollment process.
TunnelDefine proxy parameters between the client component of any mobile device app and the app server component.
VPNProvides access to back end systems that use legacy VPN gateway technology. This policy provides VPN gateway connection details that you can deploy to devices. Endpoint Management supports several VPN providers, including Cisco AnyConnect, Juniper, and Citrix VPN. If your VPN gateway supports this option, you can link this policy to a CA and enable VPN on-demand.
WallpaperAdds a .png or .jpg file to set the wallpaper on an iOS device lock screen, home screen, or both. To use a different wallpaper on iPads and iPhones, create different wallpaper policies and deploy them to the appropriate users.
Web clipPlaces shortcuts, or web clips, to websites so that they appear alongside apps on user devices. You can specify your own icons to represent the web clips for iOS, macOS, and Android devices. Windows tablet only requires a label and a URL.
Web Content FilterFilters web content on iOS devices. Endpoint Management uses the Apple auto-filter function and the sites that you add to allow lists and block lists. Available only for iOS supervised devices.
Windows AgentEnable this policy to run uploaded PowerShell scripts on Windows desktops and tablets.
Windows GPO configurationConfigure Group Policy Objects (GPOs) for any Windows device supported by Citrix Workspace Environment Management.
Windows Hello for BusinessEnable the Windows feature so users can provision Windows Hello for Business on their device. The policy also lets you configure passcode limitations and other security features.

Device policies by platform

PolicyiOSmacOSAndroid EnterpriseAndroid (Legacy DA)Chrome OSWindows Desktop/TabletOther
AirPlay mirroring device policyXX     
AirPrint device policyX      
APN device policyX  X   
App access device policyX  X   
App attributes device policyX      
App configuration device policyX    X 
App inventory device policyXXXX X 
App lock device policyX  X X 
App permissions device policy  X    
App restrictions device policy    X  
App uninstall device policyXXXX   
App uninstall restrictions device policy      X
Application Guard device policy     X 
Apps notifications device policyX      
Automatically update managed apps  X    
BitLocker device policy     X 
Bluetooth device policyX      
Browser device policy      X
Calendar (CalDav) device policyXX     
Cellular device policyX      
Connection scheduling device policy  XXX  
Contacts (CardDAV) device policyXX     
Content device policy    X  
Copy Apps to Samsung Container device policy      X
Credentials device policyXXXXXX 
Custom XML device policy  X  X 
Defender device policy     X 
Device Guard device policy     X 
Device Health Attestation device policy     X 
Device name device policyXX     
Education Configuration device policyX      
Endpoint Management options device policy  XX   
Endpoint Management uninstall device policy   X   
Exchange device policyXXXX X 
Files device policy  XX   
FileVault device policy X     
Firewall device policy X   X 
Font device policyXX     
Home screen layout device policyX      
Import Device Configuration device policy      X
Import iOS & macOS Profile device policyXX     
Keyguard Management device policy  X    
Kiosk device policy  X XX 
Launcher configuration device policy  XX   
LDAP device policyXX     
Location device policyX XX   
Lock screen message device policyX      
Mail device policyXX     
Managed bookmarks device policy    X  
Managed configurations device policy  X    
Managed domains device policyX      
Maximum resident users device policyX      
MDM options device policyX      
Network device policyX XXX  
Network usage device policyX      
Office device policy     X 
Organization information device policyX      
OS Update device policyXXX XX 
Passcode device policyXXXX X 
Passcode lock grace period device policyX      
Personal hotspot device policyX      
Power management device policy    X  
Profile Removal device policyXX     
Provisioning profile device policyX      
Provisioning profile removal device policyX      
Proxy device policyX      
Public session device policy    X  
Restrictions device policyXX XXX 
Roaming device policyX      
Samsung MDM license key device policy  X    
SCEP device policyXX     
Siri and dictation policiesX      
SSO account device policyX      
Storage encryption device policy       
Store device policyX  X X 
Subscribed calendars device policyX      
Terms and conditions device policyX  X X 
Tunnel device policy   X   
VPN device policyXX XXX 
Wallpaper device policyX      
Web clip device policyXX X X 
Web content filter device policyX      
Windows Agent device policy     X 
Windows GPO configuration device policy     X 
Windows Hello for Business device policy     X 

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:71 次

字数:49103

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文